Recorded December 19, 2019 at G-Unit Studios in Rhode Island!
- 1 Introduction
- 2 Segment 1: DevOps and Securing Applications
- 3 Segment 2: Security vs. Compliance
- 4 Segment 3: Security History - Lessons from the past
First up in this episode is our round table discussion on DevOps and Securing Applications where we'll cover how to navigate the wide variety of options for securing modern applications and the processes used to build and deploy software today. Next up we debate one of information security's long-standing debates: security versus compliance in what is sure to be a lively round table discussion. The final segment in this episode assembles a panel of experts to discuss the history of security and what we can learn from the past. Stay tuned for all that and more on this very special episode of Paul's Security Weekly.
Segment 1: DevOps and Securing Applications
Welcome to our round table discussion on DevOps and Security Applications. Quick reminder for our listeners, every week we record Application Security Weekly, featuring Mike Sheema, John Kinsella and Matt Alderman covering all of the latest application security news and research along with interviews with some of the best and brightest minds in appsec today. You can subscribe to Application Security Weekly, and all of our shows on the Security Weekly network by visiting securityweekly.com/subscribe.
- Given that DevOps is a process and its execution requires many different tools, how do we get started "doing DevOps"?
- What about DevOps allows us to produce more secure applications?
- What concepts inside of DevOps do most people lose site of?
- What are the major challenges involved in taking an application from traditional development to DevOps?
- What are some of the best approaches to making an application more resilient to threats, specifically:
- Static Code Analysis
- Software Compisition Analysis
- Software Testing
- Web Application Scanning
- To ORM or not to ORM?
- Which services do you implement yourself vs. using a cloud service?
- How do I choose the best secrets vault?
- What should I use an orchestrator for and what should I not use an orchestrator for?
- How do I build a secure API for my app?
- Thoughts on GraphQL vs. REST security implications?
✶Click Headshots for Full Bio✶
- Puma Scan (commercial) and open source (http://github.com/pumasecurity/puma-scan)
Segment 2: Security vs. Compliance
Welcome to our round table discussion on security versus compliance. Quick reminder for our listeners, every week we record Security and Compliance Weekly, featuring Jeff Man, Josh Marpet and Scott Lyons covering all of the latest compliance and security news along with interviews with folks close to challenges and success stories in compliance today. You can subscribe to Security and Compliance Weekly, and all of our shows on the Security Weekly network, by visiting securityweekly.com/subscribe.
It was once said that if Security and Compliance were in a relationship the status would be "It's Complicated". This discussion will aim to help you understand this relationship and how it can be beneficial or a mere distraction to an organization's overall security posture.
- Define "Secure" and "Compliant".
- Does compliance merely raise awareness about security shortcomings?
- What is the relationship between Security and Compliance?
- Being Secure and being Compliant are mere points in time, how can we best develop a process to ensure we are always striving to a secure and compliant state?
- How does Security impact and/or influence Compliance?
- How does Compliance impact and/or influence Security?
- How do you balance these extremes: "We will be Secure and ignore compliance" vs. "We will be compliant but ignore security"
✶Click Headshots for Full Bio✶
Segment 3: Security History - Lessons from the past
Welcome to our security history roundtable discussion. I'd like to remind our listeners to subscribe to the Security Weekly mailing list where you'll receive information about our upcoming webcasts, virtual training and Security Weekly appearances at conferences throughout the year. You can subscribe to our mailing list, and all of the podcasts on the Security Weekly network, by visiting securityweekly.com/subscribe.
The history of security can be traced back to a variety of different sources. The amount of articles on the topic is dizzying. Most will cite names of early phone phreaks, Kevin Mitnick, Kevin Poulsen, Steve Jobs, Steve Wozniak and quickly transition to many other more recent "hacks" or breaches. Our goal is to not review the history of hacking. This is the history of security. We've carefully chosen key events and research to discuss the very beginnings of security, and their impact and lessons for today's ever-evolving security landscape.
- 1903 - Nevil Maskelyne Hacked A Wireless Telegraph Demonstration - The second it became physically possible to hack into something, somebody did it. That somebody’s name was Nevil Maskleyne, history’s first hacker, and he was around a lot earlier than you might expect. He hacked into a live telegraph demonstration in 1903. - Dot-dash-diss: The gentleman hacker's 1903 lulz
- 1939-1940 - Breaking the Enigma cipher - BOMBE was the name of an electro-mechanical machine, developed during WWII by Alan Turing and Gordon Welchman, whilst working as codebreakers at Bletchley Park. It was used to help breaking the German Enigma codes and was (partly) based on the so-called BOMBA, an earlier machine developed by Polish mathematicians in 1938. From 1943 onwards, an improved version of the British BOMBE was built in the US by the US Navy and — independently — by the US Army.
- 1966 - The World's First Computer Password? It Was Useless Too - Fernando Corbató implements passwords on CTSS on an IBM 7090. CTSS may also have been the first system to experience a data breach. One day in 1966, a software bug jumbled up the system's welcome message and its master password file so that anyone who logged in was presented with the entire list of CTSS passwords. But that's not the good story. Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early '60s, came clean about the earliest documented case of password theft. In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn't nearly enough time to run the detailed performance simulations he'd designed for the new computer system. So he simply printed out all of the passwords stored on the system.
- 1969 - RABBITS Was Probably The First Computer Virus: 1969 - The first computer virus in history may have been a program called RABBITS. Nobody knows who made it, and nobody knows why, but whoever it was brought the University of Washington Computer Center down. It was a tiny, inconspicuous program that made copies of itself—breeding, as its name suggested, like rabbits. In 1969, someone installed it onto a computer at the university and let it run. The program made two copies of itself, and then each of those copies made copies until the computer overloaded and stopped working.
- 1971 - Creeper and Reaper - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971. Its original iteration was designed to move between DEC PDP-10 mainframe computers running the TENEX operating system using the ARPANET, with a later version by Ray Tomlinson designed to copy itself between computers rather than simply move. This self-replicating version of Creeper is generally accepted to be the first computer worm. The program was not actively malicious software as it caused no damage to data, the only effect being a message it output to the teletype reading "I'm the creeper: catch me if you can". Reaper (program) was a similar program created by Ray Tomlinson to move across the ARPANET and delete the self-replicating Creeper.
- 1973 - Oral History of Robert Metcalfe - What had happened was a couple of high school students hacked into the Arpanet through one of the early TIPs. A TIP [Terminal IMP] was a way to dial into a Telnet program so you could then log in to any of the computers on the Arpanet. Imagine that! And some high school students, as I recall they were probably in Los Angeles around UCLA, somewhere like that, managed to find out the phone number. No one was keeping it a secret. Acoustically coupled modems were the big thing in those days, and so these high school kids got into some of the computers and did some mischief. They caught my attention, so I wrote this 602 RFC saying “Look out! Trouble!”
- RFC 602 The Stockings Were Hung by the Chimney with Care - Individual sites, used to physical limitations on machine access, have not yet taken sufficient precautions toward securing their systems against unauthorized remote use. For example, many people still use passwords which are easy to guess: their fist names, their initials, their host name spelled backwards, a string of characters which are easy to type in sequence (e.g. ZXCVBNM).
- 1986 - A Brief History of Cyber Crime - In 1986 the systems administrator at the Lawrence Berkeley National Laboratory, Clifford Stoll, noted certain irregularities in accounting data. Inventing the first digital forensic techniques, he determined that an unauthorized user was hacking into his computer network. Stoll used what is called a “honey pot tactic,” which lures a hacker back into a network until enough data can be collected to track the intrusion to its source. Stoll’s effort paid off with the eventual arrest of Markus Hess and a number of others located in West Germany, who were stealing and selling military information, passwords and other data to the KGB.
- 1988 - THE HISTORY OF CYBERSECURITY - a man named Robert Morris had an idea: he wanted to gauge the size of the internet. To do this, he wrote a program designed to propagate across networks, infiltrate Unix terminals using a known bug, and then copy itself. This last instruction proved to be a mistake. The Morris worm replicated so aggressively that the early internet slowed to a crawl, causing untold damage. The worm had effects that lasted beyond an internet slowdown. For one thing, Robert Morris became the first person successfully charged under the Computer Fraud and Abuse Act (although this ended happily for him – he’s currently a tenured professor at MIT). More importantly, this act also led to the formation of the Computer Emergency Response Team (the precursor to US-CERT), which functions as a nonprofit research center for systemic issues that might affect the internet as a whole. Morris Worm
- 1987 -History Of Antivirus - At the end of 1987 there was big movement in the antivirus industry, with the founding of the, now world famous, McAfee company (now owned by Intel) and the creation of first set of antivirus products. G Data Software was reportedly the first to market that year with ‘Ultimate Virus Killer 2000’, shortly followed by McAfee’s ‘Virus Scan’.
- 1984-1986 - The History and Evolution of Intrusion Detection - Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time IDS. This prototype was named the Intrusion Detection Expert System (IDES). This IDES was initially a rule-based expert system trained to detect known malicious activity. This same system has been refined and enhanced to form what is known today as the Next-Generation Intrusion Detection Expert System (NIDES)
- 1980-1994 - Who Invented The Firewall? - William Cheswick and Steven Bellovin, who literally wrote the book on firewalls in 1994 while at AT&T Bell Labs, say they didn't invent the firewall, either -- they built a circuit-level gateway and packet filtering technology. Most security experts trace the firewall's roots, back to work done at Digital Equipment Corp. in the late 1980s by Jeff Mogul, Brian Reid, and Paul Vixie, starting with the gatekeeper.dec.com gateway, as well as to Mogul's "screend" technology. DEC SEAL, which was shipped in 1992, was the first commercial firewall and included proxies developed by Ranum. "DEC SEAL was interesting because it had a part number and a manual and a corporation behind it," Ranum says.
✶Click Headshots for Full Bio✶
Security is Not Deterministic. Tell Your CISO to get over it; Yeah, they want to know, “are we secure?” “Did that next gen $2M PoS help us get secure?” “I hear that new AI thing I don’t understand will fix our security problems?”
No. The answer is no. There is no ‘Yes’ answer to security. Tell your CISO and the Board: No matter WTF you do, you will never be secure. Ain’t gonna happen.
SANE PEOPLE: “Are you or your organization ever going to be 100% secure?” (Crazies need no respond.) of course not.
Simply, there is no such thing as secure (100% free of any threat or chance of violation) nor is there any chance of 0% security even if you have your computers turned off. Hard copy is still a threat.
So, what does Winn mean?
I want everyone to get over this binary concept of absolutism. There is no perfect security (100%) and there is no 100% absesses of security (0%).
Therefore, all security must be somewhere on the spectrum of >0 and < 100. Even you MBAs get that, eh? :)